Refactor Dependabot Project Manager to process PRs instead of security alerts

[Copilot]

Dependabot Project Manager now organizes open Dependabot PRs for review/merging rather than creating remediation work from security alerts.

Changes

Data source: Switched from Dependabot alerts API to PR search

• Uses search_pull_requests with filter author:dependabot[bot] is:pr is:open
• Extracts package, version, and manifest path from PR title/metadata

Bundling logic: Groups PRs by runtime and manifest

• Parses Dependabot PR title pattern: "Bump {package} from {old} to {new} in {path}"
• Prioritizes by update type (security > major > minor > patch) instead of severity

Project tracking: Replaces alert metrics with PR metrics

• Fields: PR Count, Update Type (vs. Alert Count, Severity)
• Status workflow: Todo → In Progress → Review Required → Done

Copilot assignment: Issues now request PR review/merge instead of creating new PRs

• Removed security label from create-issue config
• Task shifts from "fix vulnerabilities" to "review and approve updates"

Example

Bundle structure changes from:

### 🔴 axios (GHSA-xxxx-yyyy-zzzz)
- Severity: High
- CVE: CVE-2021-3749

To:

### 🟡 axios (#1234)
- Update Type: Minor
- Current: 0.21.1 → Target: 0.22.0
- PR: https://github.com/org/repo/pull/1234

Original prompt

Adjust Dependabot Project Manager not to read the alerts but the PRs dependabot created instead

Custom agent used: agentic-workflows
GitHub Agentic Workflows (gh-aw) - Create, debug, and upgrade AI-powered workflows with intelligent prompt routing

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Pull request overview

This PR refactors the Dependabot Project Manager workflow to operate on open Dependabot pull requests (PRs) instead of Dependabot security alerts, updating the bundling/tracking/assignment instructions and regenerating the compiled lock workflows accordingly.

Changes:

• Switched the workflow’s instructions and project/issue templates from “alerts to remediate” to “PRs to review/merge”.
• Updated project tracking fields/metrics terminology (e.g., PR Count, Update Type) and adjusted prioritization guidance.
• Recompiled workflow lock files, including an awf runtime version bump to v0.13.12 in the affected locks.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 8 comments.

File	Description
.github/workflows/dependabot-project-manager.md	Updates the agent workflow instructions and templates to bundle/manage Dependabot PRs instead of alerts.
.github/workflows/dependabot-project-manager.lock.yml	Regenerated compiled workflow reflecting the updated source workflow (plus awf/image tag updates).
.github/workflows/daily-cli-tools-tester.lock.yml	Regenerated compiled workflow with awf/image tag updates to v0.13.12.

Comments suppressed due to low confidence (4)

.github/workflows/dependabot-project-manager.md:106

• The bundle “update type breakdown” lists only patch/minor/major, but elsewhere you track Security updates (and later include Security in Update Type emojis/fields). This inconsistency will lead to confusing metrics in draft bodies/status updates; include Security in the breakdown (and clarify how security PRs are identified).

   - Total PR count and update type breakdown (patch/minor/major)
   - Unique manifest file path

3. **Prioritize bundles** based on:
   - Security updates (marked with security labels) get highest priority

.github/workflows/dependabot-project-manager.md:268

• In the per-PR formatting template, Update Type is shown as {patch/minor/major} but you also support Security (and later show a Security emoji). Please include Security in this template (and ensure capitalization matches the values you use elsewhere, e.g., Patch/Minor/Major/Security).

- **Current Version**: {current_version}
- **Target Version**: {target_version}
- **Update Type**: {patch/minor/major}
- **Security**: {yes/no}
- **PR Link**: {pr_url}

.github/workflows/dependabot-project-manager.md:65

• This intro sentence still says "coordinates remediation work" even though the workflow is now about reviewing/merging Dependabot PRs. Please update wording so the agent instructions consistently describe the new task.

You are the Dependabot Project Manager - an intelligent system that automatically organizes Dependabot PRs into manageable bundles, tracks them on a GitHub Projects board, and coordinates remediation work with Copilot agents.

.github/workflows/dependabot-project-manager.md:294

• This view name still says “All Alerts Table” even though it’s describing PR bundles. Same as above: consider renaming for clarity or documenting that the legacy name is intentional (and align the safe-outputs view definition).

3. **All Alerts Table** (Table layout)
   - Shows all PR bundles with detailed fields
   - Useful for sorting and filtering by runtime, update type, or manifest

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Update Type comments/examples omit “Major” in a couple places (e.g., the field comment says “Security, Minor, Patch”), but later you define Update Type as Security/Major/Minor/Patch. Please make these consistent so the agent won’t drop major updates or mislabel them.

This issue also appears in the following locations of the same file:

• line 102
• line 264

[Copilot]

The workflow has been refocused from alert remediation to PR review/merging, but the frontmatter description still says "assigns them to Copilot for remediation". This should be updated to reflect the new behavior (review/approve/merge Dependabot PRs).

This issue also appears on line 64 of the same file.

[Copilot]

Phase 1 suggests using search_pull_requests or list_pull_requests, but the provided filter (author:dependabot[bot] is:pr is:open) is a search query (and won’t work with list_pull_requests). To avoid ambiguous/incorrect guidance, specify search_pull_requests here (or provide separate, correct instructions for each API).

Suggested change

	- Use `search_pull_requests` or `list_pull_requests` to find PRs created by dependabot[bot]
	- Use `search_pull_requests` to find PRs created by dependabot[bot]

[Copilot]

Bundle ID uses {runtime}-{manifest-basename} while grouping is based on the full manifest path. If two manifests share the same basename in different directories, this ID/dedup key can collide and cause unrelated bundles to overwrite each other. Consider incorporating a sanitized relative path (or a short hash of the full path) into the bundle ID/title/dedup key.

[Copilot]

The Priority guidance mixes concepts: the Project field values are High/Medium/Low, but later the ordering is written as “Security → Minor → Patch”. Please rephrase to map update types to the actual Priority field values (e.g., Security→High, Major/Minor→Medium, Patch→Low) so the agent doesn’t try to set an invalid Priority option.

See below for a potential fix:

       "Priority": "{priority}",  // High (security updates), Medium (major/minor), Low (patch-only)
       "Runtime": "{runtime}",
       "Manifest": "{manifest_basename}",
       "PR Count": "{total}",
       "Update Type": "{primary_update_type}"  // Security, Major, Minor, Patch
     }
   })

2. Set appropriate fields:
   • Status: "Todo" (new bundles start here)
   • Priority: Use project priority values mapped from update type and security labels (Security updates → High, Major/Minor → Medium, Patch-only → Low)
   • Runtime: The ecosystem (npm, pip, go, etc.)
   • Manifest: Basename of manifest file
   • PR Count: Number of PRs in bundle
   • Update Type: Primary update type (Security, Major, Minor, Patch)

[Copilot]

This generated workflow header still says “assigns them to Copilot for remediation” even though the PR switches the workflow to PR review/merge. Update the source .md description accordingly and recompile so the lock file description matches the new behavior.

Suggested change

	# Automatically bundles Dependabot PRs by runtime and manifest, creates project items, and assigns them to Copilot for remediation with a "Review Required" status column
	# Automatically bundles Dependabot PRs by runtime and manifest, creates project items, and uses Copilot for PR review and merge with a "Review Required" status column

[Copilot]

This view name still says “Dependabot Alerts Board” even though the workflow now manages PR bundles. Either rename the view for consistency, or explicitly note that the legacy name is kept for backwards compatibility (and ensure the safe-outputs view definition matches).

This issue also appears on line 292 of the same file.

[Copilot]

The safe-output config here allows up to 20 issues (max: 20), but the compiled lock workflow currently enforces create_issue max=1 in its generated safe-outputs config. If this workflow is meant to create one issue per bundle (up to 20), the lock file/tool config needs to reflect that; otherwise reduce the documented max/logic to match the enforced limit.